Multisig governance setup

This page highlights the Orbit DeFi multi-signature governance setup: its implementation, the measures taken for its security and all the powers granted by the governance permissions.

PreviousContract Addresses NextUser Guide

Last updated 2 years ago

Multisig governance setup

This page highlights the Orbit DeFi multi-signature governance setup: its implementation, the measures taken for its security and all the powers granted by the governance permissions.

How it works

Orbit makes use of a multi-signature setup for its governance functions. The members of the multi-signature wallet are all team members. For OpSec reasons, the individual team member identity will not be disclosed in this page.

The Multisig implementation used is a standard Gnosis Safe. The multisig's assets, transactions, and signers can be viewed through the Gnosis Safe Web UI .

Furthermore, the Orbit multisig is protected under a Timelock contract for added safety and better reaction times in case of compromises. The minimum delay is set to 6 hours by default. The Orbit team also manages an internal as well as public Discord bot which broadcasts notifications of all transactions towards the Timelock contract in real-time, to keep the community informed on all the governance actions before they go live.

Orbit Multisig Safe (Polygon):
Orbit Timelock contract:

What powers does the Orbit Multisig have?

The Multisig setup includes control of the following contract modifiers:

Registry :: onlyGovernance protected functions
PositionManagerFactory :: onlyGovernance protected functions

The following is a list of all the governance-permissioned functions and their side effects:

Registry :: setPositionManagerFactory: this function sets a new Position manager factory contract address. Changing the factory address does not influence already-created PositionManagers, as it is only used as a check to verify that new PositionManagers are created from the correct factory.
Registry :: changeGovernance: this function sets a new governance address for this contract.
Registry :: addNewContract: this function adds a contract address to the list of existing modules. This function is used to deploy new features to the protocol, in which modules are the contracts that manage the liquidity strategies that users can benefit from.
Registry :: changeContract: this function modifies an existing module entry address.
Registry :: switchModuleState: this function is used to switch modules on or off globally. This impacts which features users can use.
Registry :: addKeeperToWhitelist: this function adds a keeper bot address to the whitelist of addresses that can execute module-specific functions (for instance, auto-compounding or rebalancing liquidity positions). The whitelist exists only for preemptive security reasons.
Registry :: removeKeeperFromWhitelist: this function removes a keeper bot address from the whitelist.
Registry :: setDefaultValue: this function sets the default value setting for a module entry. For instance, auto-compounds by defaults happen at 2% accumulated fee threshold.
Registry :: setDefaultActivation: this function sets the module entry default activation. For instance, the auto-compund module is active by default.
Registry :: setMaxTwapDeviation: this function is only used to specify the maximum effective slippage accepted on internal swaps. We leverage the Uniswap TWAP oracles for frontrunning protection.
Registry :: setTwapDuration: this function is only used to specify the number of blocks to consider for TWAP frontrunning protection.
PositionManagerFactory :: changeGovernance: this function sets a new governance address for this contract.
PositionManagerFactory :: changeRegistry: this function sets a new registry contract address
PositionManagerFactory :: updateDiamond: this function is used to update an already-deployed action contract address. This is possible because we use a diamond-like architecture for our smart vaults. This is used to add features to existing Orbit users down the line.
PositionManagerFactory :: updateActionData: this function can add or remove action contracts from the factory. This is used to add new features down the line or deprecate old ones from new smart vaults.

PreviousContract Addresses NextUser Guide

Last updated 2 years ago

How it works

The Multisig implementation used is a standard Gnosis Safe. The multisig's assets, transactions, and signers can be viewed through the Gnosis Safe Web UI .

Orbit Multisig Safe (Polygon):
Orbit Timelock contract:

What powers does the Orbit Multisig have?

The Multisig setup includes control of the following contract modifiers:

Registry :: onlyGovernance protected functions
PositionManagerFactory :: onlyGovernance protected functions

The following is a list of all the governance-permissioned functions and their side effects:

Registry :: setPositionManagerFactory: this function sets a new Position manager factory contract address. Changing the factory address does not influence already-created PositionManagers, as it is only used as a check to verify that new PositionManagers are created from the correct factory.
Registry :: changeGovernance: this function sets a new governance address for this contract.
Registry :: addNewContract: this function adds a contract address to the list of existing modules. This function is used to deploy new features to the protocol, in which modules are the contracts that manage the liquidity strategies that users can benefit from.
Registry :: changeContract: this function modifies an existing module entry address.
Registry :: switchModuleState: this function is used to switch modules on or off globally. This impacts which features users can use.
Registry :: addKeeperToWhitelist: this function adds a keeper bot address to the whitelist of addresses that can execute module-specific functions (for instance, auto-compounding or rebalancing liquidity positions). The whitelist exists only for preemptive security reasons.
Registry :: removeKeeperFromWhitelist: this function removes a keeper bot address from the whitelist.
Registry :: setDefaultValue: this function sets the default value setting for a module entry. For instance, auto-compounds by defaults happen at 2% accumulated fee threshold.
Registry :: setDefaultActivation: this function sets the module entry default activation. For instance, the auto-compund module is active by default.
Registry :: setMaxTwapDeviation: this function is only used to specify the maximum effective slippage accepted on internal swaps. We leverage the Uniswap TWAP oracles for frontrunning protection.
Registry :: setTwapDuration: this function is only used to specify the number of blocks to consider for TWAP frontrunning protection.
PositionManagerFactory :: changeGovernance: this function sets a new governance address for this contract.
PositionManagerFactory :: changeRegistry: this function sets a new registry contract address
PositionManagerFactory :: updateDiamond: this function is used to update an already-deployed action contract address. This is possible because we use a diamond-like architecture for our smart vaults. This is used to add features to existing Orbit users down the line.
PositionManagerFactory :: updateActionData: this function can add or remove action contracts from the factory. This is used to add new features down the line or deprecate old ones from new smart vaults.